The Myth of Network Address Translation as Security

Size: px
Start display at page:

Download "The Myth of Network Address Translation as Security"

Transcription

1 The Myth of Network Address Translation as Security The myth that network address translation provides security has been dispelled by the security community many times but persists in some service provider technical communities. WHITE PAPER by Ryan Davis

2 Introduction In service provider networks, the largest use of network address translation (NAT) tends to be at the point of the subscriber Internet edge, but unfortunately this point is also the largest attack surface, carrying the greatest threats, within the service provider network. In mobile networks, this footprint is called by various terms, including Gi LAN, SGi LAN, and mobile edge. In more general terms, it is the location where pure Internet connectivity meets a gateway that manages a specific access technology (such as wireless, cable, or fiber). Gateways are excellent at managing subscriber connectivity on a specific access network, but they are not well suited for applying security controls or address translation due to limited security functionality or excessive cost. Service providers in the past have labored under the mistaken assumption that NAT can provide both address translation and security at the subscriber Internet edge. The security community has tried to dispel that myth, but it persists, and mobile and fixed service providers in today s environment of escalating attacks need to understand why NAT is insufficient. This understanding starts with the recognition that there are many different types of security services at the point of subscriber aggregation in addition to denial of inbound traffic. Subscriber aggregation security 1

3 Subscriber aggregation security A common architectural solution consists of a stateful system between the gateway and the Internet that can provide various services to subscribers and the network. Common types of security services include: DDoS protection. Typically protecting against high-scale attacks from the Internet, distributed denial-of-service (DDoS) attack mitigation consists of eliminating packets that serve no legitimate purpose and limiting packets that deviate from typical behavioral patterns. Port and protocol limiting. Over a decade ago, service providers would provide wide-open access to and from all subscribers. While this did facilitate connectivity for many applications, it also provided a wonderful environment for the spread of viruses and worms, which would excessively consume network resources. Today, most service providers do prevent some protocols on their networks, as well as limiting use of others in an effort to reduce the risk of enabling malware to flourish. Infrastructure protection. The beauty of IP connectivity is that it enables anyone with an IP address to potentially communicate with any other IP address on the planet. However, this also enables subscribers to potentially connect to systems on the service provider s network without any legitimate reason. Implementing controls to protect infrastructure at the subscriber aggregation point is quite important. Botnet mitigation. At any point in time, many subscribers have systems infected with viruses and malware that are communicating to command and control (C&C) systems somewhere on the Internet. Restricting this communication provides benefits to the subscriber as well as to the network by reducing the use of subscriber devices in botnet attacks. Types of service enforcement. Many service providers have various service offerings that enable subscribers to perform different types of connectivity. For example, enterprise customers may require static IP addresses with unlimited protocol usage and the ability to host servers. However, a lower tier of consumer service may restrict the running of servers on mobile devices. Or perhaps a specialized type of IP address class could be used for administrative connectivity to update firmware and software on the CPE. When mobile service providers deploy voice over LTE (VoLTE), they will use a dedicated APN that must have limited connectivity or the risk of revenue leakage increases significantly. These five examples of security controls are not exhaustive, but they do represent a 2

4 These five examples of security controls are not exhaustive, but they do represent a base set of functionality that is required on modern networks at the subscriber aggregation point. With this in mind, NAT solutions do not provide sufficient functionality to secure and protect modern networks. (Note that if a company offers a carrier-grade NAT (CGNAT) solution that performs any of the above functions, it is an admission that NAT alone is insufficient for protecting a service provider s most valuable product the ability to connect people and things.) The proper solution for securing the subscriber Internet edge through services such as those above is not NAT but a carrier-class network firewall such as F5 BIG-IP Advanced Firewall Manager (AFM). Technical Arguments Having established that there are many other security threats that NAT can do nothing to protect against, let s dispel the technical and business myths of using NAT as a security service, even for minimal denial of unsolicited traffic. Stateful and stateless ingress and egress: IPv6 While created to facilitate communication between hosts in overlapping private address space, NAT has seen wide deployment for the main purpose of providing connectivity to more hosts in a network than individual IP addresses are available. Security issues associated with NAT have long been documented. (See the Security Considerations sections of the Internet Engineering Task Force s (IETF s) RFC2663 and RFC2993). These concerns were a large driver for the creation of IPv6. Now that the world has been moving to IPv6 for some time, NAT will no longer be required for hosts that use IPv6. Therefore it will be unavailable to provide any protection to IPv6 hosts. An argument could be made that a stateful NAT46 or NAT64 gateway may provide some security. However, this security would only be partial and short lived. CGNAT is mainly designed to translate traffic between hosts when one side has not converted to IPv6, which means that the ultimate goal is to remove the CGNAT device and allow native IPv6 traffic without translation. Without a carrier-class network firewall, the NAT device becomes the obstacle to full IPv6 migration for the operator. Further, many service provider networks are now providing IPv4/IPv6 dual-stack configurations. In this case, even if the service provider has NAT44 enabled, the IPv6 interface does not, meaning that the organization has decided that NAT suffices for security on the IPv4 interfaces, but the same host remains completely open on the IPv6 interface which is logically incongruent. Why would a network architect believe that protection is required in IPv4 and not IPv6 when the exact same threats apply to both? 3

5 Carrier-class network firewalls must be positioned as solutions today, as operators will not accept lack of security as the obstacle to IPv6 conversion. Deploying a CGNAT point product today will force the operator in the future to repurchase equipment and software as well as to reengineer the network, leading to much higher costs, as change in a service provider network is a difficult process. By contrast, implementing CGNAT functionality on a carrier-class network firewall will ensure a smooth transition to IPv6 in terms of security feature parity and capacity. Figure 1: A CGNAT point product may serve to provide limited security for IPv4 hosts, but leaves IPv6 hosts completely unprotected. Stateless ingress and egress: IPv4 Stateless NAT in general is a rare use case, but it may be employed in some unique situations. Stateless devices allow all traffic, regardless of the request from the subscriber device, to ports that are allowed for reverse NAT. Since they are stateless, they do not know what traffic was sent by the host that required NAT; therefore they must allow all return traffic. It should be apparent that stateless NAT may not be suitable even for most NAT use cases, and is completely unsuitable for any security use cases. Figure 2: A stateless NAT solution, which must allow all return traffic, is completely unsuitable for providing security. Stateful egress: IPv4 4

6 Stateful egress: IPv4 Stateful egress IPv4 NAT gives an operator the ability to partially protect internal hosts from externally initiated traffic in most cases. However, it does not provide protection for internal hosts, nor does it enable the possibility of response to attacks from those internal hosts to other network resources connected to the NAT device. In a large number of cases, many interior hosts that will be compromised may access the Internet for botnet command and control. In a number of rare but most severe cases, these compromised hosts are used as launching pads for advanced attacks on the internal service provider network or externally directed attacks toward higher-level corporate or government targets that will draw unwanted publicity. The costs associated with cleaning up after these types of incidents far outweigh the cost of the solution. Figure 3: Stateful NAT provides no protection for willing or unwilling internal hosts, which may by used by botnets to attack the network or external targets. Stateful ingress: IPv4 Stateful ingress IPv4 traffic is the only traffic type where anyone could reasonably argue that security protection is provided by NAT, and then only under certain conditions. This is a myth that persists, but as the above explanations make clear, that IPv4 traffic is only a fraction of the attack surface presented by networked hosts. Furthermore, stateful NAT does not provide much protection even for IPv4 ingress, given that modern attack techniques assume there will be a NAT device in the path, one that must be subverted. Static and destination translation of hosts provides no security. Some of NAT s supposed security relies on obfuscation, which is not considered by 5

7 Some of NAT s supposed security relies on obfuscation, which is not considered by the security community to be a real solution. Obfuscation only makes it more challenging to find information that can be gained in other ways, so it prevents nothing. The other component of the stateful ingress NAT security myth is that it is thought to provide a one-way street however, it really does not. While it is true that stateful ingress IPv4 NAT will reject externally initiated TCP traffic, that does not mean that an external host cannot in certain situations send traffic to internal hosts or use other methods to circumvent the NAT. In fact, most network-based attacks assume this as a requirement of the compromise. There are several ways to accomplish this circumvention, all of which can be prevented by a firewall. First, an attacker can either use a targeted or a sweep attack to send traffic to ports that are open in the NAT device s state table. The purpose of this attack could be to create a denial-of-service (DoS) by invalidating an existing session on the host or NAT state table, to footprint an internal network, or to inject a malware payload into a third party s existing session in an effort to compromise the internal host. Serious implications are seen in UDP traffic that is by design stateless; however, the same could be accomplished (given host susceptibility) in TCP or other protocols. In addition, NAT may not provide protocol conformance, sequence number checking, or any other layer 2 or layer 3 DoS security measures that firewalls or advanced security devices inherently provide. NAT also provides no tools to respond should security breaches occur. Figure 4: Even for IPv4 hosts, modern attacks frequently can compromise a NAT device in the path. Business arguments The business arguments for positioning a carrier-class network firewall are simple: First, no service provider can afford today s damaging and sometimes high profile security compromises. That s why firewall and network address translation services frequently come bundled together. The monetary damage that can occur on a modern mobile network can easily exceed millions of dollars, with some attacks potentially crippling entire brands. Second, in the case where only a NAT device is present, the service provider has no 6

8 Second, in the case where only a NAT device is present, the service provider has no tools to respond to the attack and must helplessly endure it until ad-hoc solutions are found. Finally, savvy service providers using an advanced firewall device can add additional security services to their customer offerings. Traditionally such additions attract enterprise business customers who have a clear case for protecting their business assets. Without a firewall device with these capabilities, a service provider will never have the opportunity to earn that revenue. In fact, by not showcasing a combined NAT and firewall solution with advanced security features, the service provider enables its customers to assume there is a gap in the service provider s product line or expertise. Conclusion The myth that NAT provides any significant security in light of today s sophisticated attacks needs to be put to rest. From a technical viewpoint, in fact, NAT provides: No security to IPv6 hosts, as NAT is unnecessary for them. No security for stateless NAT hosts. No security for stateful NAT host outbound attacks. Minimal protection for stateful NAT host ingress attacks, since modern attacks assume the presence of a NAT device and readily compromise or circumvent those devices. No tools for responding to security attacks that routinely occur. In business terms, neglecting to deploy a carrier-class network firewall such as BIG- IP AFM as part of an edge NAT and security solution risks both severe and pernicious revenue leakage and shows a lack of innovation by a service provider. By contrast, service providers who deploy an appropriate and feature-rich carriergrade firewall like those available from F5 gain realistic confidence in their network security, mitigate the associated financial and reputational risks of attack, and can take advantage of the opportunity to offer their customers cutting edge and addedvalue security services for increased revenues. F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA Americas info@f5.com Asia-Pacific apacinfo@f5.com Europe/Middle-East/Africa emeainfo@f5.com Japan f5j-info@f5.com 2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. WP-SP nat-vs-firewall-Davis

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper Managing the Migration to IPv6 Throughout the Service Provider Network Managing the Migration to IPv6 Throughout the Service Provider Network White Paper Introduction Service providers are feeling increasing

More information

Simplifying Security for Mobile Networks

Simplifying Security for Mobile Networks Simplifying Security for Mobile Networks Communications service providers face an array of complex challenges, from network growth and increasing security threats to technology transitions. The comprehensive

More information

Large FSI DDoS Protection Reference Architecture

Large FSI DDoS Protection Reference Architecture Large FSI DDoS Protection Reference Architecture Customers ISPa Tier 1: Protecting L3-4 and DNS Network Firewall Services + Simple Load Balancing to Tier 2 Tier 2: Protecting L7 Web Application Firewall

More information

Securing LTE Networks What, Why, and How

Securing LTE Networks What, Why, and How Securing LTE Networks What, Why, and How As security threats evolve, service providers must implement comprehensive security for both their LTE network infrastructures and connected devices to protect

More information

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution Today's security threats increasingly involve application-layer DDoS attacks mounted by organized groups of attackers

More information

Complying with PCI DSS 3.0

Complying with PCI DSS 3.0 New PCI DSS standards are designed to help organizations keep credit card information secure, but can cause expensive implementation challenges. The F5 PCI DSS 3.0 solution allows organizations to protect

More information

OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers.

OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers. OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers. INTRODUCTION F5 has innovated to help operators by embracing virtualization for the key elements of its portfolio, and

More information

Load Balancing 101: Nuts and Bolts

Load Balancing 101: Nuts and Bolts Load Balancing 101: Nuts and Bolts Load balancing technology is the basis on which today's Application Delivery Controllers operate. But the pervasiveness of load balancing technology does not mean it

More information

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall F5 White Paper Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall Organizations need an end-to-end web application and database security solution to protect data, customers,

More information

Deploying a Next-Generation IPS Infrastructure

Deploying a Next-Generation IPS Infrastructure Deploying a Next-Generation IPS Infrastructure Enterprises require intrusion prevention systems (IPSs) to protect their network against attacks. However, implementing an IPS involves challenges of scale

More information

Load Balancing 101: Nuts and Bolts

Load Balancing 101: Nuts and Bolts Load Balancing 101: Nuts and Bolts Load balancing technology is the basis on which today s Application Delivery Controllers operate. But the pervasiveness of load balancing technology does not mean it

More information

Deploying a Next-Generation IPS Infrastructure

Deploying a Next-Generation IPS Infrastructure Deploying a Next-Generation IPS Infrastructure Enterprises require intrusion prevention systems (IPSs) to protect their network against attacks. However, implementing an IPS involves challenges of scale

More information

Protecting Against Online Banking Fraud with F5

Protecting Against Online Banking Fraud with F5 Protecting Against Online Banking Fraud with F5 Fraud is a relentless threat to financial services organizations that offer online banking. The F5 Web Fraud Protection solution defends against malware,

More information

Deploying the BIG-IP LTM with IBM QRadar Logging

Deploying the BIG-IP LTM with IBM QRadar Logging Deployment Guide Deploying the BIG-IP LTM with IBM QRadar Logging Welcome to the F5 deployment guide for IBM Security QRadar SIEM and Log Manager. This guide shows administrators how to configure the BIG-IP

More information

Protect Against Evolving DDoS Threats: The Case for Hybrid

Protect Against Evolving DDoS Threats: The Case for Hybrid Protect Against Evolving DDoS Threats: The Case for Hybrid CIOs want harmony. Security directors loathe point products. Network operations won t buy into anything new. CIOs can get the harmony they need

More information

SNMP: Simplified. White Paper by F5

SNMP: Simplified. White Paper by F5 The Simple Network Management Protocol defines a method for managing devices that connect to IP networks. The "simple" in SNMP refers to the requirements for a managed device, not the protocol. This white

More information

Cookies, Sessions, and Persistence

Cookies, Sessions, and Persistence Cookies, Sessions, and Persistence Cookies and sessions are the most useful hack invented, allowing HTTP to become stateful and applications to work on the web. But it is persistence that ties the two

More information

The Programmable Network

The Programmable Network Emerging software-defined data center solutions focus on the need for programmability in the network to reduce costs and realize the benefits of automation. Whether the goal is cloud computing or an SDN,

More information

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN + WHITE PAPER F5 and Cisco Supercharging IT Operations with Full-Stack SDN Contents Introduction 3 Confronting the bottleneck 3 Evolving SDN technologies 4 An integrated solution 5 Application policies,

More information

Securing the Cloud. White Paper by Peter Silva

Securing the Cloud. White Paper by Peter Silva Cloud computing has become another key resource for IT deployments, but there is still fear of securing applications and data in the cloud. With F5 devices, you can keep your most precious assets safe,

More information

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp? Deployment Guide Document Version: 1.0 What s inside: 2 Configuration example 4 Securing the isession deployment 6 Downloading and importing the new iapp 6 Configuring the BIG- IP systems using the Cloud

More information

Deploying the BIG-IP System v11 with DNS Servers

Deploying the BIG-IP System v11 with DNS Servers Deployment Guide Document version 1.1 What s inside: 2 What is F5 iapp? 2 Prerequisites and configuration notes 2 Configuration example 3 Preparation Worksheet 4 Configuring the BIG-IP iapp for DNS Servers

More information

Enabling Long Distance Live Migration with F5 and VMware vmotion

Enabling Long Distance Live Migration with F5 and VMware vmotion Enabling Long Distance Live Migration with F5 and VMware vmotion F5 Networks and VMware partner to enable live application and storage migrations between data centers and clouds, over short or long distances.

More information

Session Initiated Protocol (SIP): A Five-Function Protocol

Session Initiated Protocol (SIP): A Five-Function Protocol Session Initiated Protocol (SIP): A Five-Function Protocol SIP is an application-layer control protocol that can establish, modify, and terminate multimedia sessions (conferences) such as Internet telephony

More information

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP Meeting the Challenges of an HA Architecture for IBM WebSphere SIP Voice and multi-media features available in IBM WebSphere Application Server enable a new generation of integrated applications but also

More information

The F5 Application Services Reference Architecture

The F5 Application Services Reference Architecture The F5 Application Services Reference Architecture Build elastic, flexible application delivery fabrics that are ready to meet the challenges of optimizing and securing applications in a constantly evolving

More information

F5 and Nuage Networks Partnership Overview for Enterprises

F5 and Nuage Networks Partnership Overview for Enterprises Partnership Overview for Enterprises Automate and accelerate application and network services deployment with. Key benefits enable you to: Deploy a flexible, agile, and programmable network that can instantiate

More information

The F5 Intelligent DNS Scale Reference Architecture

The F5 Intelligent DNS Scale Reference Architecture The F5 Intelligent DNS Scale Reference Architecture End-to-end DNS delivery solutions from F5 maximize the use of organizational resources, while remaining agile and intelligent enough to scale and support

More information

Data Center Virtualization Q&A

Data Center Virtualization Q&A Data Center Virtualization Q&A Q What's driving the need for data center virtualization? A We know that if business continuity is a key objective of an organization, it means that operations are up and

More information

Document version: 1.0 What's inside: Products and versions tested Important:

Document version: 1.0 What's inside: Products and versions tested Important: Deployment Guide Document version: 1.0 What's inside: 2 Prerequisites and configuration notes 2 Configuration example 3 Configuring the BIG-IP ASM for Oracle Database Firewall 3 Configuring the BIG-IP

More information

Enhancing VMware Horizon View with F5 Solutions

Enhancing VMware Horizon View with F5 Solutions Enhancing VMware Horizon View with F5 Solutions VMware Horizon View is the leading virtualization solution for delivering desktops as a managed service to a wide range of devices. F5 BIG-IP devices optimize

More information

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler, Webshells Nir Zigler, 2014-01-09 Webshells are web scripts (PHP/ASPX/etc.) that act as a control panel for the server running them. A webshell may be legitimately used by the administrator to perform actions

More information

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available, Deployment Guide Document version 1.6 What's inside: 2 Products and versions 2 Prerequisites and configuration notes 2 Configuration example 3 Understanding BIG-IP connection balancing Guardium connections

More information

Unified Application Delivery

Unified Application Delivery The vision of a unified application delivery network gets more clear with F5 BIG-IP v10. White Paper by Lori MacVittie The Vision For every problem that arises out of the dust left behind as new technologies

More information

Vulnerability Assessment with Application Security

Vulnerability Assessment with Application Security Vulnerability Assessment with Application Security Targeted attacks are growing and companies are scrambling to protect critical web applications. Both a vulnerability scanner and a web application firewall

More information

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide Contents Intended Audience 3 Overview 3 NSX and BIG-IP Topology Options 4 Topology 1: Parallel to NSX Edge Using VXLAN Overlays with BIG-IP Physical

More information

Geolocation and Application Delivery

Geolocation and Application Delivery F5 White Paper Geolocation and Application Delivery The data from geolocation providers offers highly valuable data to a variety of stakeholders and is no longer just for advertising. by Lori MacVittie

More information

Deploying the BIG-IP System with Oracle Hyperion Applications

Deploying the BIG-IP System with Oracle Hyperion Applications Deployment Guide DOCUMENT VERSION.0 What s inside: Prerequisites and configuration notes Configuration example Preparation Worksheet Configuring the BIG-IP system for Hyperion Planning Workspace 5 Configuring

More information

Improving VDI with Scalable Infrastructure

Improving VDI with Scalable Infrastructure Improving VDI with Scalable Infrastructure As virtual desktop infrastructure (VDI) has become more prevalent, point solutions have emerged to address associated delivery issues. These solutions burden

More information

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested Deployment Guide Document version 1.0 What s inside: Products and versions tested Prerequisites and configuration notes Configuration example and traffic flows 3 Configuring the BIG-IP system for IBM Cognos

More information

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager PARTNER USE CASE Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager F5 BIG-IP WAN Optimization Manager (WOM) helps organizations optimize data replication with NetApp

More information

Maintain Your F5 Solution with Fast, Reliable Support

Maintain Your F5 Solution with Fast, Reliable Support What s Inside 2 Standard and Premium Support Features 2 Expert Assistance When You Need It 2 Proactive Case Management 3 irules Support 3 Software Upgrades and Updates 3 Self-Service Resources 3 Expedited

More information

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

Multi-Tenancy Designs for the F5 High-Performance Services Fabric Multi-Tenancy Designs for the F5 High-Performance Services Fabric F5 has transformed the traditional networking design of highly available pairs of hardware devices to create a new architecture a multi-tenant

More information

Prompta volumus denique eam ei, mel autem

Prompta volumus denique eam ei, mel autem VMware Utroque Democritum Horizon View Aeterno Nostro Optimized Aperiam Secure Usu Access Prompta volumus denique eam ei, mel autem The F5 BIG-IP platform optimizes the VMware View user experience and

More information

Deploying the BIG-IP System with CA SiteMinder

Deploying the BIG-IP System with CA SiteMinder Deployment Guide Document version 1.0 What's inside: 2 Prerequisites and configuration notes 2 Configuration example 3 Configuring the BIG-IP LTM for the SiteMinder Administrative User Interface servers

More information

Solutions Guide. F5 solutions for the emerging 5G landscape

Solutions Guide. F5 solutions for the emerging 5G landscape Solutions Guide F5 solutions for the emerging 5G landscape 1 F5 Solutions for the emerging 5G landscape. Access Network Control Plane Cloud Mobile Edge and Core Analytics DNS EPC & IMS DDoS Mobile Access

More information

Server Virtualization Incentive Program

Server Virtualization Incentive Program Formerly Server Virtualization Incentive Program, VMware Only Program Overview: F5 and VMware VMware, a market leader in virtualization, provides a rich suite of advanced virtualization solutions, from

More information

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems Deployment Guide Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems Welcome to the F5 deployment guide for VMware vmotion. This document contains guidance on configuring

More information

Network Functions Virtualization - Everything Old Is New Again

Network Functions Virtualization - Everything Old Is New Again Network Functions Virtualization - Everything Old Is New Again Service providers are looking to use network functions virtualization (NFV) to build dynamic, virtualized networks with application and content

More information

F5 Reference Architecture for Cisco ACI

F5 Reference Architecture for Cisco ACI F5 Reference Architecture for Cisco ACI Today s businesses face complex challenges to stay efficient and competitive. Together, F5 and Cisco enable organizations to dramatically reduce time to value on

More information

Considerations for VoLTE Implementation

Considerations for VoLTE Implementation Considerations for VoLTE Implementation The mobile industry is in a painful transition as service providers make the costly mass migration to a new network environment: LTE. Adding to the situation, many

More information

Distributing Applications for Disaster Planning and Availability

Distributing Applications for Disaster Planning and Availability Distributing Applications for Disaster Planning and Availability Managing applications in multiple data centers in real time can be a challenge, especially when the data centers are geographically distributed.

More information

Securing Your Microsoft Azure Virtual Networks

Securing Your Microsoft Azure Virtual Networks Securing Your Microsoft Azure Virtual Networks IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up

More information

Securing Your Amazon Web Services Virtual Networks

Securing Your Amazon Web Services Virtual Networks Securing Your Amazon Web Services s IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up a workload,

More information

TCP Optimization for Service Providers

TCP Optimization for Service Providers TCP Optimization for Service Providers Service providers want to deliver the best quality of experience possible to their subscribers while maximizing network efficiency. Data optimization technologies

More information

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services ChrisMutzel, 2015-17-08 Thus far in our article series about running BIG-IP in EC2, we ve talked about some VPC/EC2 routing and

More information

ANNUAL REPORT SOLUTIONS FOR AN APPLICATION WORLD.

ANNUAL REPORT SOLUTIONS FOR AN APPLICATION WORLD. 2013 ANNUAL REPORT SOLUTIONS FOR AN APPLICATION WORLD. TO OUR SHAREHOLDERS, CUSTOMERS AND PARTNERS: Following an uneven first half, fiscal 2013 concluded with a strong finish that positioned F5 for solid

More information

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Optimize and Accelerate Your Mission- Critical Applications across the WAN BIG IP WAN Optimization Module DATASHEET What s Inside: 1 Key Benefits 2 BIG-IP WAN Optimization Infrastructure 3 Data Optimization Across the WAN 4 TCP Optimization 4 Application Protocol Optimization

More information

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT Introduction Amazon Web Services (AWS) provides Infrastructure as a Service (IaaS) cloud offerings for organizations. Using AWS,

More information

A GUIDE TO DDoS PROTECTION

A GUIDE TO DDoS PROTECTION HTTP CACHE BYPASS FLOOD THINK APP SECURITY FIRST CHOOSING THE RIGHT MODEL A GUIDE TO DDoS PROTECTION DNS AMPLIFICATION INTRODUCTION By thinking proactively about DDoS defense, organizations can build a

More information

Prompta volumus denique eam ei, mel autem

Prompta volumus denique eam ei, mel autem The Utroque F5 Intelligent Democritum DNS Aeterno Scale Nostro Reference Aperiam Architecture. Usu Prompta volumus denique eam ei, mel autem End-to-end DNS delivery solutions from F5 maximize the use of

More information

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks 2 WHAT IS A DDOS-ATTACK AND WHY ARE THEY DANGEROUS? Today's global network is a dynamically developing

More information

Key Considerations in Choosing a Web Application Firewall

Key Considerations in Choosing a Web Application Firewall Key Considerations in Choosing a Web Application Firewall Today, enterprises are extending their businesses by using more web-based and cloud-hosted applications, so a robust and agile web application

More information

The Expectation of SSL Everywhere

The Expectation of SSL Everywhere The Expectation of SSL Everywhere SSL is the last line of defense for communication and commerce for people around the globe. It s time for organizations to properly embrace a higher security posture to

More information

Converting a Cisco ACE configuration file to F5 BIG IP Format

Converting a Cisco ACE configuration file to F5 BIG IP Format Converting a Cisco ACE configuration file to F5 BIG IP Format Joe Pruitt, 2012-11-12 In September, Cisco announced that it was ceasing development and pulling back on sales of its Application Control Engine

More information

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System As enterprises around the globe move to increasingly virtualized environments, they can use a Cisco and NetApp FlexPod

More information

Resource Provisioning Hardware Virtualization, Your Way

Resource Provisioning Hardware Virtualization, Your Way F5 White Paper Resource Provisioning Hardware Virtualization, Your Way Resource allocation can be a fine line, starving services if the adequate allocation isn t precisely managed. Resource provisioning

More information

Citrix Federated Authentication Service Integration with APM

Citrix Federated Authentication Service Integration with APM Citrix Federated Authentication Service Integration with APM Graham Alderson, 2016-19-12 Introduction This guide will cover how to use APM as the access gateway in front of Storefront when using Citrix

More information

Creating a Hybrid ADN Architecture with both Virtual and Physical ADCs

Creating a Hybrid ADN Architecture with both Virtual and Physical ADCs Creating a Hybrid ADN Architecture with both Virtual and Physical ADCs The virtualization of network and application network infrastructure is the second wave of the virtualization tsunami to hit the shores

More information

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments Trusted protection for endpoints and messaging environments Overview creates a protected endpoint and messaging environment that is secure against today s complex data loss, malware, and spam threats controlling

More information

Secure Mobile Access to Corporate Applications

Secure Mobile Access to Corporate Applications Secure Mobile Access to Corporate Applications The way corporations operate around mobile devices is currently shifting employees are starting to use their own devices for business purposes, rather than

More information

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform By the F5 business development team for the Microsoft Global Alliance Version 1.0 Introduction As the use of mobile devices in the

More information

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017 Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017 Jay Kelley, 2015-22-12 February 2017 Update Endpoint inspection and network access support with Chrome browser, Firefox,

More information

Arbor White Paper Keeping the Lights On

Arbor White Paper Keeping the Lights On Arbor White Paper Keeping the Lights On The Importance of DDoS Defense in Business Continuity Planning About Arbor Networks Arbor Networks Inc., the cyber security division of NETSCOUT, helps secure the

More information

OVERVIEW. Virtual Solutions for Your NFV Environment

OVERVIEW. Virtual Solutions for Your NFV Environment Contents Introduction 3 Build a Virtualized Network with F5 s 4 Virtual Firewall (vfw) 4 Virtual CGNAT (vcgn) 4 Virtual Policy Charging Enforcement Function (vpcef) 4 Virtual Content Insertion (vci) 4

More information

v.10 - Working the GTM Command Line Interface

v.10 - Working the GTM Command Line Interface v.10 - Working the GTM Command Line Interface Jason Rahm, 2009-21-04 A couple weeks ago I blogged about the enhancements that v.10 brought to GTM, the most anticipated being that GTM now has a command

More information

RESELLER LOGO RADICALLY BETTER. DDoS PROTECTION. Radically more effective, radically more affordable solutions for small and medium enterprises

RESELLER LOGO RADICALLY BETTER. DDoS PROTECTION. Radically more effective, radically more affordable solutions for small and medium enterprises RESELLER LOGO RADICALLY BETTER DDoS PROTECTION Radically more effective, radically more affordable solutions for small and medium enterprises IT S TIME TO GET SERIOUS ABOUT CYBER CRIME Despite the headline

More information

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document

More information

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges

More information

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper F5 In this white paper, get an introduction to F5 icontrol service-enabled management API. by Lori MacVittie Technical Marketing Manager, Application Services Contents Introduction 3 icontrol Basics 3

More information

Enabling Efficient and Scalable Zero-Trust Security

Enabling Efficient and Scalable Zero-Trust Security WHITE PAPER Enabling Efficient and Scalable Zero-Trust Security FOR CLOUD DATA CENTERS WITH AGILIO SMARTNICS THE NEED FOR ZERO-TRUST SECURITY The rapid evolution of cloud-based data centers to support

More information

SEGMENTATION TO A TRADITIONAL DATA CENTER

SEGMENTATION TO A TRADITIONAL DATA CENTER APPLY NETWORK SEGMENTATION TO A TRADITIONAL DATA CENTER SUMMARY Industry Financial Services Use Case Apply network segmentation for effective protection of mission-critical applications and data in a traditional

More information

FIREWALL BEST PRACTICES TO BLOCK

FIREWALL BEST PRACTICES TO BLOCK Brought to you by Enterprie Control Systems FIREWALL BEST PRACTICES TO BLOCK Recent ransomware attacks like Wanna and Petya have spread largely unchecked through corporate networks in recent months, extorting

More information

BIG-IP CGNAT: Implementations. Version 12.1

BIG-IP CGNAT: Implementations. Version 12.1 BIG-IP CGNAT: Implementations Version 12.1 Table of Contents Table of Contents Deploying a Carrier Grade NAT... 7 Overview: The carrier-grade NAT (CGNAT) module... 7 About ALG Profiles...8 About CGNAT

More information

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions F5 White Paper Managing BIG-IP Devices with HP and Microsoft Network Management Solutions Using third-party tools such as HP Network Node Manager i and Microsoft System Center Operations Manager, it has

More information

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS 1 Introduction Your data and infrastructure are at the heart of your business. Your employees, business partners, and

More information

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 3 3RD QUARTER 2017 Complimentary report supplied by CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2017 4 DDoS

More information

F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution

F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution F5 Technical Brief F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution As market leaders in the application delivery market and DNS, DHCP, and IP Address Management

More information

The Dynamic DNS Infrastructure

The Dynamic DNS Infrastructure The Dynamic DNS Infrastructure Between the proliferation of mobile devices and the ever- increasing amount of content on the web, DNS usage has seen a huge increase in recent years. Meanwhile, DNS continues

More information

Intel Network Builders Solution Brief. Etisalat* and Intel Virtualizing the Internet. Flexibility

Intel Network Builders Solution Brief. Etisalat* and Intel Virtualizing the Internet. Flexibility Intel Network Builders Solution Brief Etisalat* and Intel Virtualizing the Internet Gateway Gi-LAN for Service Flexibility Introduction Etisalat Group* is one of the world s leading telecom groups in emerging

More information

Software-Defined Hardware: Enabling Performance and Agility with the BIG-IP iseries Architecture

Software-Defined Hardware: Enabling Performance and Agility with the BIG-IP iseries Architecture Software-Defined Hardware: Enabling Performance and Agility with the BIG-IP iseries Architecture White Paper Introduction A perfect storm of market trends is shifting the application and IT landscape.

More information

BIG-IP CGNAT: Implementations. Version 13.0

BIG-IP CGNAT: Implementations. Version 13.0 BIG-IP CGNAT: Implementations Version 13.0 Table of Contents Table of Contents Deploying a Carrier Grade NAT... 9 Overview: The carrier-grade NAT (CGNAT) module... 9 About ALG Profiles...10 About CGNAT

More information

Security Gap Analysis: Aggregrated Results

Security Gap Analysis: Aggregrated Results Email Security Gap Analysis: Aggregrated Results Average rates at which enterprise email security systems miss spam, phishing and malware attachments November 2017 www.cyren.com 1 Email Security Gap Analysis:

More information

Automating the Data Center

Automating the Data Center F5 White Paper This paper discusses an alternative architecture that supports data center automation and dynamic provisioning without operating system virtualization. by Lori MacVittie Technical Marketing

More information

DDoS MITIGATION BEST PRACTICES

DDoS MITIGATION BEST PRACTICES DDoS MITIGATION BEST PRACTICES DDoS ATTACKS ARE INCREASING EXPONENTIALLY Organizations are becoming increasingly aware of the threat that Distributed Denial of Service (DDoS) attacks can pose. According

More information

Transition To IPv6 October 2011

Transition To IPv6 October 2011 Transition To IPv6 October 2011 Fred Bovy ccie #3013 fred@fredbovy.com 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 1 1st Generation: The IPv6 Pioneers Tunnels for Experimental testing or Enterprises

More information

VMware vcenter Site Recovery Manager

VMware vcenter Site Recovery Manager VMware vcenter Site Recovery Manager Welcome to the BIG-IP deployment guide for (SRM). This guide provides procedures for configuring the BIG-IP Local Traffic Manager (LTM), Global Traffic Manager (GTM),

More information

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line Designed to Prevent, Detect, and Block Malicious Attacks on Both IPv4 and IPv6 Networks TM Introduction With the exponential

More information

Mitigating Branch Office Risks with SD-WAN

Mitigating Branch Office Risks with SD-WAN WHITE PAPER Mitigating Branch Office Risks with SD-WAN 1 M itigating Branch Office Risks with SD-WAN Branch Security Overview The branch or remote office stands out as a point of vulnerability in an increasingly

More information

Broadband Internet Access Disclosure

Broadband Internet Access Disclosure Broadband Internet Access Disclosure This document provides information about the network practices, performance characteristics, and commercial terms applicable broadband Internet access services provided

More information